CVE-2024-43307

Vulnerability

Analysis

The Structured Content (JSON-LD WPSC) plugin for WordPress versions through 1.6.2 contains a Stored Cross-Site Scripting (XSS) vulnerability [1]. This issue arises from improper neutralization of user input during web page generation, allowing malicious actors to inject arbitrary HTML and JavaScript code that is stored on the server and executed when other users access the affected page [1].

Exploitation

Prerequisites

Successful exploitation requires an authenticated user with at least contributor-level privileges to inject the malicious payload [1]. While the attack can be initiated by a privileged user, the vulnerability is classified as Stored XSS, meaning the injected script persists and executes automatically for any visitor accessing the compromised content [1]. No direct user interaction is needed for the payload to trigger once stored.

Impact

An attacker can inject arbitrary scripts, redirects, advertisements, or other HTML payloads into the website [1]. This can lead to session hijacking, defacement, or phishing attacks against site visitors. The vulnerability is rated as Medium severity (CVSS 3.1 base score 6.5) [1].

Mitigation

The vulnerability is patched in version 1.6.3 of the plugin [1]. Users are strongly advised to update immediately or enable auto-updates for the plugin. The vendor notes that while the vulnerability is not currently part of mass-exploit campaigns, prompt patching is recommended to prevent potential attacks [1].